Physicians have their hands full on the best of days. It’s not difficult to imagine why using a voice assistant such as Amazon’s Alexa or Apple’s Siri might be attractive.

In fact, a recent survey showed nearly one in four physicians uses the assistants for work-related purposes, such as researching prescription drug dosing. It’s likely many are unaware of the information security dangers they pose.

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

Cybercrooks’ preferred path to critical data is through privileged accounts, those held by users who have broad access and powers within the target’s network.

That’s according to a recent survey conducted by the cybersecurity firm Thycotic at the recent Black Hat conference in Las Vegas, reported Infosecurity Magazine. About a third of respondents named privileged accounts the fastest and easiest path to critical data, while user email accounts were a close second at 27 percent.

Some 85 percent said human error, not inadequate security or unpatched software, was most to blame for security breaches.

Hackers’ biggest headaches? Multifactor authentication and encryption, according to the survey.

One way to measure the increasing importance of cybersecurity to American businesses is to track how often the issue arises as a risk factor in corporate filings with the Securities and Exchange Commission.

A recent analysis by Bloomberg BNA charted a dramatic rise over the past six years, with only a tiny fraction of businesses citing cybersecurity risks in 2011 SEC filings compared to a substantial percentage in the first six months of 2017.

The report notes that a likely reason for the increase was SEC guidance issued in 2011 that clarified when cyber incidents should be disclosed in financial filings, leading to cybersecurity’s being “elevated into the general counsel’s office [and onto] the board’s agenda.”

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

New innovations come hand in hand with new privacy issues.Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app.Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.

Fordham University in New York hosted its Ninth Law and Information Society Symposium last week where policy and technology leaders came together to discuss current privacy pitfalls and solutions.Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.”She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.”The privacy policy still matters because it protects businesses from the risks associated with having a high level of data. It is especially necessary for those businesses that depend solely on private information because they are at a higher risk of breach.

The FTC (Federal Trade Commission) has suggested using an approach called “Privacy By Design” which is a method of imbedding privacy protections into the infrastructure of the app.This approach removes the concern of implementing privacy policies post-development. Another method of simplifying the privacy policy is the alert prompt that some apps have employed to consistently give consumers notice of when and where their information is used. McNabb and her fellow panelists found this method of “short, timely notices” helpful in closing the gap between the unread privacy policies and the claimed “surprise” of consumers who blame an app for the dissemination of information.

As the industry moves forward, privacy will become an even greater part of the equation. Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial. As apps and technologies become more connected to the private preferences of consumers, businesses with a leg up on privacy protections will thrive against the backdrop of those who view privacy as a second tier requirement.

The freedom from automated calls at random hours of the evening may seem like the true American dream these days as more and more companies rely on these calls to reach out and communicate with customers.Unfortunately, now that the Federal Communications Commission (“FCC”) voted to expand the Telephone Consumer Protection Act (“TCPA”) to include stringent yet vague restrictions on telemarketing robocalls, it may not be a dream for everyone.

In June of this year, in a 3-2 vote, the FCC voted on adding the rule to the TCPA that entails barring companies from using “autodialers” to dial consumers, disallowing more than one phone call to numbers that have been reassigned to different customers, and mandating a stop to calls under a customer’s wishes.These restriction may seem reasonable but dissenting Commissioner, Ajit Pai, recognized that the rule’s broad language will create issues because it does not distinguish between legitimate businesses trying to reach their customers and unwanted telemarketers.Some attorneys have further commented on the rule stating that its use of “autodialer” opens up a can of worms of interpretations and can really be viewed as any device with even the potential to randomly sequence numbers, including a smartphone.Companies using even slightly modernized tactics to reach out to their customer base are now at risk of facing litigation—and it won’t stop there.Businesses that legitimately need to reach out to their customers will be caught between a rock and a hard place as they face a one-call restriction now and may also open themselves up to litigation if a customer decides to take that route.

The FCC Chairman, Tom Wheeler, attempted to quash concerns by stating that “Legitimate businesses seeking to provide legitimate information will not have difficulties.”This statement unfortunately won’t stop plaintiff’s attorneys from greasing their wheels to go after companies who even make “good faith efforts” to abide by the new rule.Attorneys who defend businesses have recognized that the rule is ridden with issues that could potentially harm companies that simply do not have the mechanisms to fully control and restrict repeated calls or the technology that makes those calls.But, long story short, just because this rule has been put in motion, does not mean it will stand as is. Litigation and court action will likely be a natural consequence and that may result in changes for the future.For now, businesses that utilize automated phone calls should be wary of the technology used and attempt to at least keep track of numbers and phone calls made.When in doubt, talk to an attorney to make sure you are taking the appropriate precautions.

With 2013 being dubbed as the “Year of the Mega Breach” it comes as no surprise that the Federal Trade Commission (“FTC”), on June 30, 2015 published “Start with Security: A Guide for Businesses” to educate and inform businesses on protecting their data.The FTC is tasked with protecting consumers from “unfair” and “deceptive” business practices and with data breaches on the rise, it has come to take that job much more seriously.The lessons in the guide are meant to aid businesses in their practices of protecting data and the FTC cites to real examples of its data breach settlement cases to help companies understand each lesson and the real world consequences that some companies have faced.Here are the lesson headlines:

Katherine McCarron, the Bureau of Consumer Protection attorney, explained that the Bureau “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct.It is likely that this guide will become the FTC’s road map for handling future enforcement actions and will help businesses to remain on the safe side of the data breach fence.

Whether you run a mom and pop shop or a multi-million dollar company, this guide is a must-read for any business that processes personal information.

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information. The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing. The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud. “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked. The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury. Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs. Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements. S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.” Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling. He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.” Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.

About Our Firm

Fox Rothschild LLP is a national law firm with 800 attorneys practicing in 22 offices coast to coast. We’ve been serving clients for more than a century, and we’ve been climbing the ranks of the nation’s largest firms for many years, according to both The Am Law 100 and The National Law Journal.